Enforcing security policies with runtime monitors

Le monitorage (monitoring) est une approche pour la sécurisation du code qui permet l'exécution d’un code potentiellement malicieux en observant son exécution, et en intervenant au besoin pour éviter une violation d’une politique de sécurité. Cette méthode a plusieurs applications prometteuses, notamment en ce qui a trait à la sécurisation du code mobile. Les recherches académiques sur le monitorage se sont généralement concentrées sur deux questions. La première est celle de délimiter le champ des politiques de sécurité applicables par des moniteurs opérant sous différentes contraintes. La seconde question est de construire des méthodes permettant d’insérer un moniteur dans un programme, ce qui produit un nouveau programme instrumenté qui respecte la politique de sécurité appliquée par ce moniteur. Mais malgré le fait qu’une vaste gamme de moniteurs a été étudiée dans la littérature, les travaux sur l’insertion des moniteurs dans les programmes se sont limités à une classe particulière de moniteurs, qui sont parmi les plus simples et les plus restreint quant à leur champ de politiques applicables. Cette thèse étend les deux avenues de recherches mentionnées précédemment et apporte un éclairage nouveau à ces questions. Elle s’attarde en premier lieu à étendre le champ des politiques applicables par monitorage en développabt une nouvelle approche pour l’insertion d’un moniteur dans un programme. En donnant au moniteur accès à un modèle du comportement du programme, l’étude montre que le moniteur acquiert la capacité d’appliquer une plus vaste gamme de politiques de sécurité. De plus, les recherches ont aussi d´emontré qu’un moniteur capable de transformer l’exécution qu’il surveille est plus puissant qu’un moniteur qui ne possède pas cette capacité. Naturellement, des contraintes doivent être imposées sur cette capacité pour que l’application de la politique soit cohérente. Autrement, si aucune restriction n’est imposée au moniteur, n’importe quelle politique devient applicable, mais non d’une manière utile ou désirable. Dans cette étude, nous proposons deux nouveaux paradigmes d’application des politiques de sécurité qui permettent d’incorporer des restrictions raisonnables imposées sur la capacité des moniteurs de transformer les exécutions sous leur contrôle. Nous étudions le champ des politiques applicables avec ces paradigmes et donnons des exemples de politiques réelles qui peuvent être appliquées à l’aide de notre approche.Execution monitoring is an approach that seeks to allow an untrusted code to run safely by observing its execution and reacting if need be to prevent a potential violation of a user-supplied security policy. This method has many promising applications, particularly with respect to the safe execution of mobile code. Academic research on monitoring has generally focused on two questions. The first, relates to the set of policies that can be enforced by monitors under various constraints and the conditions under which this set can be extended. The second question deals with the way to inline a monitor into an untrusted or potentially malicious program in order to produce a new instrumented program that provably respects the desired security policy. This study builds on the two strands of research mentioned above and brings new insights to this study. It seeks, in the first place, to increase the scope of monitorable properties by suggesting a new approach of monitor inlining. By drawing on an a priori model of the program’s possible behavior, we develop a monitor that can enforce a strictly larger set of security properties. Furthermore, longstanding research has showed that a monitor that is allowed to transform its input is more powerful than one lacking this ability. Naturally, this ability must be constrained for the enforcement to be meaningful. Otherwise, if the monitor is given too broad a leeway to transform valid and invalid sequences, any property can be enforced, but not in a way that is useful or desirable. In this study, we propose two new enforcement paradigms which capture reasonable restrictions on a monitor’s ability to alter its input. We study the set of properties enforceable if these enforcement paradigms are used and give examples of real-life security policies that can be enforced using our approach

What can you verify and Enforce at Runtime?

International audienceThe underlying property, its definition and representation play a major role when monitoring a system. Having a suitable and convenient framework to express properties is thus a concern for runtime analysis. It is desirable to delineate in this framework the sets of properties for which runtime analysis approaches can be applied to. This paper presents a unified view of runtime verification and enforcement of properties in the Safety-Progress classification. Firstly, we extend the Safety-Progress classification of properties in a runtime context. Secondly, we characterize the set of properties which can be verified (monitorable properties) and enforced (enforceable properties) at runtime. We propose in particular an alternative definition of ''property monitoring'' to the one classically used in this context. Finally, for the delineated sets of properties, we define specialized verification and enforcement monitors

NIOSH strategic plan : FYs 2019-2023

Version 4: October 2019"The National Institute for Occupational Safety and Health (NIOSH) studies occupational safety and health through scientific research. The Institute then transforms its research into cost-effective, global work practices. The Occupational Safety and Health Act of 1970 established NIOSH and it is now part of the Centers for Disease Control and Prevention in the U.S. Department of Health and Human Services. NIOSH works with public and private sectors to make work safer, healthier, and more productive for workers, employers, and the nation. The NIOSH Strategic Plan reports research and service goals for fiscal years 2019-2023. These goals address a broad range of occupational health and safety hazards, affecting an ever-changing workforce. Jobs in the U.S. economy continue to shift from manufacturing to services. Longer hours, compressed workweeks, an aging workforce, reduced job security, and part-time and temporary work have also changed the workforce. These changes represents a major challenge for NIOSH as it manages limited resources to address its research portfolio priorities. The NIOSH Strategic Plan introduces strategic, intermediate, and activity goals that guide occupational health and safety research priorities and service work. NIOSH's unique portfolio of research programs includes sector, cross-sector, and core and specialty research programs. These programs perform research that covers a wide range of activities, from basic to applied research. Service work covers non-research work that supports NIOSH's mission or fulfills a legislative mandate. Service work can also support research work within NIOSH and outside with external partners. For example, the Surveillance Program provides data and analysis as a service to both NIOSH's programs and to external partners, while the Health Hazard Evaluation Program provides an external service. NIOSH awards funding priority to outside researchers conducting extramural projects that address the research goals identified in the NIOSH Strategic Plan. NIOSH will also lead new intramural projects to address the goals stated within this plan. NIOSH recognizes that new issues may emerge or become more important during the five-year plan. Goals may be retired because they have been achieved. Priorities may shift in response to changing conditions. NIOSH will add or remove issues based on current or anticipated burden, need, and impact and allocate resources to address these changes. The next section explains how NIOSH develops and organizes its research goals and the section after that focuses on how NIOSH develops and organizes service goals." - NIOSHTIC-2NIOSHTIC no. 20061089NIOSH-Strategic-Plan_V4_Oct-2019_1.pdf20191074